Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] DR review unable to find snapshot for head SHA when used in reusable workflow with workflow_call #892

Open
AppSecCharlie opened this issue Feb 5, 2025 · 0 comments
Open

[BUG] DR review unable to find snapshot for head SHA when used in reusable workflow with workflow_call #892

AppSecCharlie opened this issue Feb 5, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@AppSecCharlie
Copy link

Describe the bug
When using [email protected] inside a reusable workflow invoked from another repository, the action consistently logs::

No snapshots were found for the head SHA <commit-hash>.

This warning also appears on the comment added to the PR. I'm using this in a reusable workflow, triggered by workflow_call with head-ref and base-ref being passed to the workflow as inputs (as recommended in the docs for non-pull request triggered jobs).

To troubleshoot this, I’ve also attempted::

  • Checking out the PR ref with actions/checkout
  • Manually submitting a dependency snapshot for head-ref using the Dependency Graph API.
  • Confirming the snapshot was accepted in the workflow logs.
  • Setting retry-on-snapshot-warnings: true and waiting up to about 10 minutes for the dependency graph to update.

Despite that, the action still mostly works, but it adds the warning above that I'd like to fix or suppress.

To Reproduce
Create a reusable workflow e.g. my-org/my-gha-repo/.github/workflows/dependency_review.yml

name: "Dependency Review"
on:
  workflow_call:
    inputs:
      base-ref:
        description: 'Custom git base reference'
        required: false
        default: ''
        type: string
      head-ref:
        description: 'Custom git head reference'
        required: false
        default: ''
        type: string

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:
          base-ref: ${{ inputs.base-ref }}
          head-ref: ${{ inputs.head-ref }}
          retry-on-snapshot-warnings: true

Then, call the reusable workflow from a different repository (where dependency-review-action works fine in a standalone workflow), e.g. my-org/my-other-repo/.github/workflows/dependency_review_pr.yml

name: 'Dependency Review'

on:
  pull_request:
    branches:
      - main

jobs:
  dependency-review:
    permissions:
      pull-requests: write
      contents: write
    uses: my-org/my-gha-repo/.github/workflows/dependency_review.yml@main
    with:
      base-ref: ${{ github.event.pull_request.base.sha }}
      head-ref: ${{ github.event.pull_request.head.sha }}

Expected behavior

Basically the action should act as it does when used by itself in a standalone repo (no retries required, no head SHA snapshot errors).

  • If dependency-review-action does not require snapshots for PR branches, it should allow suppressing this warning.
  • If a valid snapshot exists for head-ref, the action should detect it correctly and not log repeated warnings.

Action version
Using actions/dependency-review-action@v4 (v4.5.0)

Examples
Example workflows above. I can drop them in a public repo if necessary.

Additional context
As I said, I've also tried adding jobs to this reusable workflow to generate a SBOM/dependency snapshot for the head ref and upload that to the dependency submission API, but that doesn't resolve the problem. I am able to generate and upload the SBOM, and it's ACCEPTED, but since it's not for the default branch I'm not sure if Dependency Review can find it:

SBOM upload response: 201 {
  id: 12345678,
  created_at: '2025-02-05T02:34:11.184Z',
  result: 'ACCEPTED',
  message: 'The snapshot was accepted, but it is not for the default branch. It will not update dependency results for the repository.'
}

And the subsequent DR job can't seem to find the snapshot:

Run actions/dependency-review-action@v4
  with:
    base-ref: <base SHA>
    head-ref: <head SHA>
    repo-token: ***
No snapshots were found for the head SHA
[retries for a few times up to 10 mins]

..though since generating a snapshot isn't required when using Dependency Review by itself in a repo on: pull_request, I wouldn't expect that I'd need to do it manually from within a reusable workflow.

I've looked at other Issues and didn't see any related info. E.g. #626 is somewhat related but seems like a different issue. And #30 / release 2.1.0 seems to imply that what I'm trying is possible, but not sure what's going wrong with the snapshot.

Basically, is there a known configuration required for dependency-review-action to work inside a reusable workflow, or an option to suppress this warning when snapshots are not available for PR branches?

Thanks!
@AppSecCharlie AppSecCharlie added the bug Something isn't working label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AppSecCharlie